You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2022/10/20 13:04:25 UTC

[GitHub] [druid] kfaraz opened a new pull request, #13244: Upgrade jackson-databind to 2.13.4.2 to address CVEs

kfaraz opened a new pull request, #13244:
URL: https://github.com/apache/druid/pull/13244

   CVEs:
   [CVE-2022-42004](https://nvd.nist.gov/vuln/detail/CVE-2022-42004)
   [CVE-2022-42003](https://nvd.nist.gov/vuln/detail/CVE-2022-42003)
   
   <hr>
   
   - [x] been self-reviewed.
      - [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.)
   - [x] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] CookieAroundTheBend commented on a diff in pull request #13244: Upgrade jackson-databind to 2.13.4.2 to address CVEs

Posted by GitBox <gi...@apache.org>.

CookieAroundTheBend commented on code in PR #13244:
URL: https://github.com/apache/druid/pull/13244#discussion_r1028125861


##########
core/src/main/java/org/apache/druid/guice/GuiceAnnotationIntrospector.java:
##########
@@ -58,9 +58,9 @@ public Object findInjectableValueId(AnnotatedMember m)
       if (m instanceof AnnotatedMethod) {
         throw new IAE("Annotated methods don't work very well yet...");
       }
-      return Key.get(m.getGenericType());
+      return Key.get(m.getType());
     }
-    return Key.get(m.getGenericType(), guiceAnnotation);
+    return Key.get(m.getType(), guiceAnnotation);
   }
 

Review Comment:
   This is needed for the changes for the StorageSelection
   https://github.com/apache/druid/pull/10363/files#diff-6bf786a6df7322201eee2b85d1a1857fc89af11af98c47be9c97449627d0673f



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Upgrade jackson-databind to 2.13.4.2 to address CVEs (druid)

Posted by "kfaraz (via GitHub)" <gi...@apache.org>.

kfaraz closed pull request #13244: Upgrade jackson-databind to 2.13.4.2 to address CVEs
URL: https://github.com/apache/druid/pull/13244


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Upgrade jackson-databind to 2.13.4.2 to address CVEs (druid)

Posted by "xvrl (via GitHub)" <gi...@apache.org>.

xvrl commented on PR #13244:
URL: https://github.com/apache/druid/pull/13244#issuecomment-1660228576

   @kfaraz do you have any plans to push this over the finish line?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Upgrade jackson-databind to 2.13.4.2 to address CVEs (druid)

Posted by "kfaraz (via GitHub)" <gi...@apache.org>.

kfaraz commented on PR #13244:
URL: https://github.com/apache/druid/pull/13244#issuecomment-1669652191

   There is a new PR #14770 which should address this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Upgrade jackson-databind to 2.13.4.2 to address CVEs (druid)

Posted by "kfaraz (via GitHub)" <gi...@apache.org>.

kfaraz commented on PR #13244:
URL: https://github.com/apache/druid/pull/13244#issuecomment-1858707529

   Yes, @xvrl , we can close this for now.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Upgrade jackson-databind to 2.13.4.2 to address CVEs (druid)

Posted by "xvrl (via GitHub)" <gi...@apache.org>.

xvrl commented on PR #13244:
URL: https://github.com/apache/druid/pull/13244#issuecomment-1858087446

   @kfaraz should we close this PR?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] FrankChen021 commented on pull request #13244: Upgrade jackson-databind to 2.13.4.2 to address CVEs

Posted by GitBox <gi...@apache.org>.

FrankChen021 commented on PR #13244:
URL: https://github.com/apache/druid/pull/13244#issuecomment-1287601432

   FYI
   
   There were two related PRs on this, we can close them once this is done.
   https://github.com/apache/druid/pull/12411
   https://github.com/apache/druid/pull/12373
   
   And a PR before suppressed the CVE of jackson which I think we need to remove the suppression if this PR addresses the CVE:
   https://github.com/apache/druid/pull/12535


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] kfaraz commented on a diff in pull request #13244: Upgrade jackson-databind to 2.13.4.2 to address CVEs

Posted by GitBox <gi...@apache.org>.

kfaraz commented on code in PR #13244:
URL: https://github.com/apache/druid/pull/13244#discussion_r1036694081


##########
core/src/main/java/org/apache/druid/guice/GuiceAnnotationIntrospector.java:
##########
@@ -58,9 +58,9 @@ public Object findInjectableValueId(AnnotatedMember m)
       if (m instanceof AnnotatedMethod) {
         throw new IAE("Annotated methods don't work very well yet...");
       }
-      return Key.get(m.getGenericType());
+      return Key.get(m.getType());
     }
-    return Key.get(m.getGenericType(), guiceAnnotation);
+    return Key.get(m.getType(), guiceAnnotation);
   }
 

Review Comment:
   Thanks for the suggestion, @CookieAroundTheBend ! I will try to spend some time on this and get it resolved soon.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] kfaraz commented on pull request #13244: Upgrade jackson-databind to 2.13.4.2 to address CVEs

Posted by GitBox <gi...@apache.org>.

kfaraz commented on PR #13244:
URL: https://github.com/apache/druid/pull/13244#issuecomment-1319939272

   Hi, @CookieAroundTheBend ! 
   The latest version of jackson-databind has removed the method `AnnotateMember.getGenericType()` which was being used in the Druid code in the `GuiceIntrospector`. I need to find a way to make the introspector work with `getRawType()`, or `getType()`. Haven't spent much time on it though.
   
   Please let me know if you have any ideas.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] CookieAroundTheBend commented on a diff in pull request #13244: Upgrade jackson-databind to 2.13.4.2 to address CVEs

Posted by GitBox <gi...@apache.org>.

CookieAroundTheBend commented on code in PR #13244:
URL: https://github.com/apache/druid/pull/13244#discussion_r1028096351


##########
core/src/main/java/org/apache/druid/guice/GuiceAnnotationIntrospector.java:
##########
@@ -58,9 +58,9 @@ public Object findInjectableValueId(AnnotatedMember m)
       if (m instanceof AnnotatedMethod) {
         throw new IAE("Annotated methods don't work very well yet...");
       }
-      return Key.get(m.getGenericType());
+      return Key.get(m.getType());
     }
-    return Key.get(m.getGenericType(), guiceAnnotation);
+    return Key.get(m.getType(), guiceAnnotation);
   }
 

Review Comment:
   ```suggestion
       return Key.get(getParamType(m), guiceAnnotation);
     }
   
     private Type getParamType(AnnotatedMember m) {
       if(m.getType().isContainerType()){
         return Types.newParameterizedType(m.getType().getRawClass(), m.getType().getContentType().getRawClass());
       }
       return  m.getRawType();
     }
   ```
   
   This seems to work for me (and of course changing the Key.get(m.getType()); to Key.get(getParamType(m)); on line 61.
   
   But this was on version 0.22.1 and I'm not sure if this is as robust handling that could be needed. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] kfaraz commented on pull request #13244: Upgrade jackson-databind to 2.13.4.2 to address CVEs

Posted by GitBox <gi...@apache.org>.

kfaraz commented on PR #13244:
URL: https://github.com/apache/druid/pull/13244#issuecomment-1287602460

   Thanks for the tip, @FrankChen021 !
   There are some backward incompatibility issues with this upgrade. I will try to get those resolved and close the older PRs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] CookieAroundTheBend commented on pull request #13244: Upgrade jackson-databind to 2.13.4.2 to address CVEs

Posted by GitBox <gi...@apache.org>.

CookieAroundTheBend commented on PR #13244:
URL: https://github.com/apache/druid/pull/13244#issuecomment-1318798591

   Hey @kfaraz I am also interested in getting past these CVE's. 
   What are some of the backward incompatibility issues you're seeing?
   
   Thanks for your work on this!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

[GitHub] [druid] CookieAroundTheBend commented on pull request #13244: Upgrade jackson-databind to 2.13.4.2 to address CVEs

Posted by GitBox <gi...@apache.org>.

CookieAroundTheBend commented on PR #13244:
URL: https://github.com/apache/druid/pull/13244#issuecomment-1320510452

   @kfaraz  We had Druid 0.20.2 working with newer Jackson where we did have to change that GuiceAnnotationIntrospector to use getRawType(). 
   
   Unfortunately we are trying to apply the same patch to 0.22.1 and are seeing issues most likely stemming from that change.
   
   Does this patch work for the latest Druid? Or are you seeing issues with what's in this branch as well?
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org

Re: [PR] Upgrade jackson-databind to 2.13.4.2 to address CVEs (druid)

Posted by "kfaraz (via GitHub)" <gi...@apache.org>.

kfaraz commented on PR #13244:
URL: https://github.com/apache/druid/pull/13244#issuecomment-1660242893

   Not at the moment, @xvrl . I have been occupied with a few other tasks. I am okay if you would like to take it up.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org